Hello, To clarify, are you trying to get to a point where the password to the Oracle schema looks something like this in server.xml?
password="2d9377fee736w1115ca984a1dfb99c943" instead of unencrypted like password=<unencrypted method> so that someone wandering around your server can't get the password to your Oracle database? -----Original Message----- From: Loai Abdallatif [mailto:loai.abdalla...@gmail.com] Sent: Wednesday, October 24, 2018 2:00 AM To: Tomcat Users List Subject: Re: 2 Factor Authentication Tomcat 7 - - - external message, proceed with caution - - - Thank Chris, Totally I agree with you On Tue, Oct 23, 2018 at 6:03 PM Will Nordmeyer <quark...@gmail.com> wrote: > Chris, > > I understand all of that and am working all those concerns to the > PTB... but as with many management situations reality doesn't fit with > the "security" mindset. > On Tue, Oct 23, 2018 at 10:59 AM Christopher Schultz > <ch...@christopherschultz.net> wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > Will, > > > > On 10/23/18 10:44, Will Nordmeyer wrote: > > > I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in > > > the next year). I tried working with Oracle on this with no > > > success. > > > > > > We have an Oracle Database connection defined within our web.xml > > > (see below). We need to convert to using 2 Factor (certificate?) > > > based Authentication. > > > > > > How do we convert from our embedded username password to 2FA > > > > Uhh... > > > > How would you enter your second-factor into the server? During service > > startup? What happens if the connection times-out and you have to > > re-authenticate? Do you want to be paged in the middle of the night to > > re-enter your 2FA code? How about 10 times per hour on 100 different > > servers? > > > > 2FA doesn't make any sense at all for services contacting other > > services. 2FA makes sense for humans contacting services because > > humans are so much worse at password management, social engineering > > resistance, etc. > > > > If you have a segment of your IT team mandating 2FA for database > > connections (even for services), tell them that THEY have to use THEIR > > 2FA credentials to unlock the database for YOUR services. See how long > > that policy survives. > > > > - -chris > > -----BEGIN PGP SIGNATURE----- > > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8 > > pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec > > Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw > > KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF > > Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV > > HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f > > 9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh > > SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO > > Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj > > WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT > > dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s > > w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4= > > =baEw > > -----END PGP SIGNATURE----- > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------- CONFIDENTIALITY NOTICE: This message is for intended addressee(s) only and may contain information that is confidential, proprietary or exempt from disclosure. If you are not the intended recipient, please contact the sender immediately. Unauthorized use or distribution is prohibited and may be unlawful. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
